OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: def-2000-04: Bea WebLogic Server dotdot-overflow
From: Peter Gründl (peter.grundlDEFCOM.COM)
Date: Tue Dec 19 2000 - 06:34:02 CST


======================================================================
                   Defcom Labs Advisory def-2000-04

                       Bea WebLogic Server dotdot-overflow

Author: Peter Gründl <peter.grundldefcom.com>
Release Date: 2000-12-19
======================================================================
------------------------=[Brief Description]=-------------------------
It is possible to trigger a race condition that can result in the
stack and registers being partially overwritten.

------------------------=[Affected Systems]=--------------------------
Bea WebLogic Server for Windows NT prior to V5.1.0 - Service Pack 7

----------------------=[Detailed Description]=------------------------
WebLogic Server has a specific handler for URL requests that start
with "dotdot". By sending a large URL (..aaaaaaaaaaaaaaaaaaxlots more)
and disconnecting, it is possible to trigger a buffer overflow. The
result can be anywhere from crashing the web server, to executing
arbitrary code on the server with the privileges of the web server
(which usually means LocalSystem).

---------------------------=[Workaround]=-----------------------------
Upgrade to Bea Weblogic 5.1.0, Service Pack 7:
http://commerce.beasys.com/downloads/weblogic_server.jsp

-------------------------=[Vendor Response]=--------------------------
This issue was brought to the vendor's attention on the 20th of
November, and notification of a fix was received by Defcom on the 19th
of December.

======================================================================
             This release was brought to you by Defcom Labs

               labsdefcom.com www.defcom.com
======================================================================